When we met in Brussels in November, we spoke briefly about
the difficulties which airlines faced in the EU in complying
with the new US requirements for Passenger Name Record (PNR)
data.

Data protection authorities here take the view that PNR data
is flowing to the US in breach of our Data Protection Directive.
It is thus urgent to establish a framework which is more legally
secure. Your Department has been working with Commission officials
on this, with the agreed aim of establishing such a framework
by September. The centrepiece would be a decision by the Commission
finding that the protection provided for PNR data in the US meets
our "adequacy" requirement.

I must emphasize that an "adequacy" finding is not
a mere formality. It is not a device by which something that
was previously illegal becomes legal: it requires binding
undertakings to be made by the US authorities concerned
which meet a series of data protection concerns. You will understand
that I cannot recommend the Commission to adopt an "adequacy"
decision, or even consult the Member States on such a decision,
until I am convinced that the undertakings provided by the US
side to amount to adequate protection.

As things stand today, I have to say that the draft undertakings
provided by the US so far are not such as to convince me. Let
me pay tribute straightaway to the excellent contributions made
by your staff which has allowed some significant progress to
be made. Nevertheless, on a number of important points, the US
undertakings fall short of what we need and it is urgent that
these issues now be looked at from a political perspective

Against this background, I would like to ask you personally
to look at four specific issues on which I believe that further
movement towards our requirements must be achieved. Without a
better result on these issues, I shall in any case have great
difficulty in recommending a positive decision to the Commission.

The first issue is that of purpose limitation.
Any possibility of our excepting the US arrangements as legally
"adequate", rests on the justification that these measures
are necessary to combat terrorism. We recognize that you need
also to be able to tackle some forms of serious crime that are
related to terrorism and that the wording of the undertakings
has to reflect that.

But I must tell you that there is a strong consensus on [?]
in the EU that only a tightly worded undertaking both about the
way that US Customs and Border Protection (CBP) will use the
data and about the conditions under which the data may be shared
with and used by other agencies is acceptable. For more general
law enforcement needs, it remains possible -- and is in our view
necessary -- to rely on the usual channels of co-operation.

The second issue concerns sensitive data.
Certain categories of data must receive reinforced protection
under our law. Some such data may be included in certain PNR's
-- for example data that may reveal religion or a health condition.
US Customs and Border Protection officials have said throughout
the discussion that they would have no objection to the airlines
filtering out such data. The airlines are, however, unable to
install such a filter quickly and US CBP therefor committed itself
to filtering such data in its public statement of 4 March.

Given that US Customs and Border Protection and Transportation
Security Administration have no objection to not receiving
these data, they should filter them and then delete them altogether.
I find it hard to believe that it is not possible to meet our
request on this point, pending the installation of filters by
the airlines. The positive effect of such a step on the general
assessment that will be made here of the "adequacy"
of US protections is not to be under- estimated.

The third issue is that the US does not guarantee a redress
mechanism involving a truly independent body.
Your officials say that individuals with a grievance can take
the matter to a Court, but in that case the undertakings will
need to have binding legal force. We have been led to understand
that some of them may be enshrined in regulations, but not necessarily
all of them. The possibility of taking a matter to a Court in
a country that is not your own is not a very assessable sort
of justice. I would therefore ask you to consider the introduction
of an independent arbiter outside the US Government.

Failing this, we shall have to insist that the undertakings
as a whole be made legally binding, either via departmental regulations
or possibly via an international agreement, as currently under
discussion between our legal teams. More generally, the more
binding the undertakings, the stronger the justification for
finding they provide "adequate" protection.

The fourth issue is that of Advance Passenger Information
(API) data, which are currently not covered by the undertakings.
These data are equally subject to the European data protection
rules, and we therefore need a clear commitment from the US side
to work with us to find a mutually satisfactory solution on this
point also.

This is not a complete list of the points that still concern
us, but they are essential in our search for a legally secure
solution.

It would be a mistake to see this purely in terms of applying
the Data Protection Directive. We are concerned here about fundamental
rights and liberties which are constitutionally protected in
the law of several Member States. These liberties are fiercely
cherished in the European Union. Furthermore, political support
for them, which will shortly lead to them being enshrined in
the European Constitution, is already backed by strong jurisprudence
from both the European Court of Justice and the European Court
of Human Rights. Europe and the US share the same basic values
as regards civil liberties. You are probably tired of having
Franklin quoted at you on "temporary security", but
it is hard to disagree with him. I therefore believe that a mature
consideration of these requests at a political level will ensure
that they find a positive echo. indeed, I sincerely hope that
this will be the case since, if current efforts fail, we risk
a highly charged trans-Atlantic confrontation with no obvious
way out. Such confrontations are best avoided. Where efforts
to combat terrorism are concerned, it is even more important
that we show a solid front, but that we do so in a way that does
not undermine the very values we are defending.

Yours sincerely,

[signed] Frits Bolkestein

cc: Mr. William Asa Hutchinson
Under Secretary of Border and Transportation Security
US Department of Homeland Security
US - 20528 WASHINGTON DC

[Released at a European Commission press briefing 2 September
2003. Transcribed from a fax copy provided by Commission Bolkestein's
spokesperson through the European Commission Directorate-General
Press and Communication; emphasis in original. Additional background
information and other statements by Commissioner Bolkestein on
this topic are available at: http://hasbrouck.org/articles/travelprivacy.html]